Quick LDAP setup for authentication

From Notes_Wiki

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Quick LDAP setup for authentication

It is recommended that administrators make themselves aware of various details of LDAP configuration. However in case of urgency if a simple test setup is required for authentication testing then following steps can be used to setup an openLDAP server very quickly:

  • yum -y install openldap-servers openldap-clients openldap
  • Create /etc/openldap/slapd.conf file with following contents:
include /etc/openldap/schema/core.schema 
include /etc/openldap/schema/cosine.schema 
include /etc/openldap/schema/inetorgperson.schema 
include /etc/openldap/schema/nis.schema 

pidfile /var/run/openldap/slapd.pid 
argsfile /var/run/openldap/slapd.args 

#Assume base to be basedn unless specified otherwise
defaultsearchbase "dc=sbarjatiya,dc=com" 

#Disconnect idle users after 30 seconds
idleTimeout 30

#Maximum number of entries to return in a search query
sizelimit 100

#Maximum amount of real time to be spent for answering a single query in seconds
timelimit 10

##ACL configuration

#Ensure that only the same dn can see its own password
access to attrs=userPassword
      by self     write
      by anonymous auth
      by  *       none

#Allow users to update their telephone number
access to attrs=telephoneNumber
      by self     write
      by  *       read

#Allow users to update their address.  Another field postalAddress is still readonly.
access to attrs=gecos
      by self     write
      by  *       read

#Allow users to update their shadowLastChange when they change password.
access to attrs=shadowLastChange
      by self     write
      by anonymous auth
      by *       read

#Allow all other attributes to be read by everyone anonymously.
#Apart from password, telephoneNumber, gecos and shadowLastChange user cannot modify any of his own entries
#We definitely do not want users modifying uidNumber, gidNumber, loginShell or homeDirectory etc.

#Allow all other attributes to be read by everyone anonymously
access to *
      by *          read

#Database configuration
database bdb 
suffix "dc=sbarjatiya,dc=com" 
rootdn "cn=root,dc=sbarjatiya,dc=com" 
#Ideally this should be generated using slappasswd
rootpw ldaprootpasswd
directory /var/lib/ldap 

#By default for all attributes index for equality, presence
index default eq,pres
#For uid index for equality
index uid eq
#For names, email index for equal, sub-string, and approximate matches
index cn,gn,sn,mail eq,sub,approx
#For ou index for equality
index ou eq
#For telephone number index for equality
index telephonenumber eq

#Checkpoint after every MB of data or every 5 minutes
checkpoint 1024 5
  • Replace defaultsearchbase, suffix, rootdn, rootpw in /etc/slapd.conf appropriately
  • Use following commands (Only use on a new test server, these commands remove all old data)
rm /var/lib/ldap -rf
mkdir /var/lib/ldap
chown -R ldap:ldap /var/lib/ldap
service slapd stop
rm /etc/openldap/slapd.d -rf
mkdir /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
slapd -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -h 'ldap://' -u ldap
service slapd restart
  • Create LDIF file for organization with following contents (Example <Dn> is dc=sbarjatiya,dc=com, <dc> is sbarjatiya, <o> is Barjatiya Softwares and <description> is Awesome software company)
#Main ldap base entry
dn: <Dn>
objectClass: dcObject
objectClass: organization
#dc is must for dcObject
dc: <dc>
#o is must for organization
o: <organization>
description: <description>
  • To add ldif file to ldap database use: "ldapadd -x -D '<root_dn>' -f <ldif_file> -W" and then enter root password.
  • Add organization units using LDIF file: (Example <dn> is ou=people,dc=sbarjatiya,dc=com, <ou> is people and description is All people in company)
dn: <dn>
objectClass: organizationalUnit
ou: <ou>
description: <description>
  • Add organization units for people, groups and hosts.
  • Add users using LDIF file (Example <dn> uid=saurabh,ou=people,dc=sbarjatiya,dc=com, <gn> Saurabh, <sn> Barjatiya, <cn> Saurabh Barjatiya, <mail> saurabh@example.com, <display_name> Saurabh Barjatiya, <telephone> 99999 88888, <postal_address> Hyderabad, India <uid> saurabh, <uid_number> 1001, <gid_number> 1001, <home_dir> /home/saurabh, <login_shell> /bin/bash, <gecos> Hyderabad, India <secret> is secret:)
dn: <dn>
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
gn: <given_name>
sn: <surname>
cn: <common_name>
mail: <email_address>
displayName: <display_name>
telephoneNumber: <telephone_number>
postalAddress: <postal_address>
uid: <uid>
uidNumber: <uid_number>
gidNumber: <gid_number>
homeDirectory : <home_dir>
loginShell: <login_shell>
gecos: <gecos>
userPassword: <secret>
shadowLastChange: 0
shadowMax: -1
shadowWarning: 99999
  • Add group using (Example <dn> cn=admin,ou=groups,dc=sbarjatiya,dc=com, <cn> admin, <secret> is secret and <gidnumber> is 1001
dn: <dn>
objectClass: top
objectClass: posixGroup
cn: <cn>
userPassword: <secret>
gidNumber: <gidnumber>
  • Add member to group using: (Example <dn> cn=admin,ou=groups,dc=sbarjatiya,dc=com, <memberuid> saurabh)
dn: <dn>
changetype: modify
add: memberuid
memberuid: <memberuid>
  • For adding member use ldapmodify (instead of ldapadd) as ldapmodify -x -D '<root_dn>' -f <ldif_file> -W
  • Add hosts using (Example <dn> cn=ldap,ou=hosts,dc=sbarjatiya,dc=com, <ip1>, <ip2> <cn1> ldap, <cn2> ldap.sbarjatiya.com
dn: <dn>
objectClass: ipHost
objectClass: device
ipHostNumber: <ip1>
ipHostNumber: <ip2>
cn: <cn1>
cn: <cn2>

Converting quick-server to LDAPS for security

To convert quick-server setup using above steps to LDAPS use:

  • Create ca certificate, server certificate and client certificate using easy-rsa
  • cp ca.crt ldap.sbarjatiya.com.crt ldap.sbarjatiya.com.key /etc/openldap/certs
  • chown -R ldap:ldap /etc/openldap/certs
  • chmod 755 /etc/openldap/certs/ca.crt
  • rm -rf /etc/openldap/slapd.d/*
  • Add following to /etc/openldap/slapd.conf before database entry
security  tls=1
security    ssf=1 update_ssf=112 simple_bind=64
TLSVerifyClient  allow
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/ldap.sbarjatiya.com.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.sbarjatiya.com.key
  • Edit /etc/sysconfig/ldap and change values to
  • Edit /etc/openldap/ldap.conf and update to
BASE    dc=rekall,dc=com
URI         ldaps://ldap.sbarjatiya.com/
#HOST   ldap2.rekall.com
TLS_CACERT /etc/openldap/certs/ca.crt
  • Edit /etc/hosts and add server-IP to server FQDN entry. This is absolute must if LDAP FQDN cannot be converted to IP using DNS.

Home > CentOS > CentOS 6.x > LDAP servers > OpenLDAP > Quick LDAP setup for authentication